Record Retention As the term implies, record retention involves retaining and maintaining important informa- tion. An organization should have a policy that defines what information is maintained and for how long. As it applies to the security infrastructure, in most cases, the records in question are audit trails of user activity, which may include file and resource access, logon patterns, e-mail, and the use of privileges. Retention Time Frames Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability infor- mation. This allows for the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like. If data about individuals is being retained by your organization, the employees and custom- ers need to be made aware of it such as in a conditional employment agreement or a use agree- ment. In many cases, the notification requirement is a legal issue, whereas in others it is a simply a courtesy. In either case, it is a good idea to discuss the issue with a lawyer. Media, Destruction, and Security The media used to store or retain audit trails must be properly maintained. This includes taking secure measures for the marking, handling, storage, and destruction of media. For details on handling sensitive media, please see the section titled “Sensitive Information and Media” in Chapter 13, “Administrative Management.” Retained records should be protected against unauthorized and untimely destruction, against alteration, and against hindrances to availability. Many of the same security controls used to protect online resources and assets can be imposed to protect audit logs, audit trails, audit reports, and backup media containing audit information. Access to audit information should be strictly controlled. Audit information can be used in inference attacks to discover information about higher classifications of data, thus the audit logs containing records about highly confidential assets should be handled in the same secure man- ner as the actual assets. Another way of stating this is that when an audit log is created, you are creating another asset entity with the same security needs as the original audited asset. As the value of assets and the audit data goes up and risk increases, so does the need for an increase in security and frequency of backups for the audit information. Audit data should be treated with the same security precautions as all other high-classification data within an IT envi- ronment. It should be protected by physical and logical security controls, it should be audited, it should be regularly backed up, and the backup media should be stored off site in a controlled facility. The backup media hosting audit data should be protected from loss, destruction, alter- ation, and unauthorized physical and logical access. The integrity of audit data must be main- tained and protected at all times. If audit data is not accurate, it is useless.